In addition to the above restrictions, any application with the total application size larger than 7F00h must use "memory copy/fill additional static" primitives to access the additional static data located above 7EFFh. ST[0] for such application only indicates the last static byte located in the normal Static area. It does not indicate the end of Static area, “Get Static Size” primitive must be used to work out the end of Static area.

Primitive Support

The primitives listed here are those that were included in the target specification. Applies to all masks

Primitive

Supported

Optional / Mandatory

Add BDCN

Yes

Optional

AES ECB Decipher

Yes

Optional

AES ECB Encipher

Yes

Optional

Block Decipher

Yes

Optional

Block Encipher

Yes

Optional

Bit Manipulate Byte

Yes

Bit Manipulate Word

Yes

Call Codelet

Yes

Call Extension 0, 1, 2, 3, 4, 5, 6

Yes

Card Block

Yes

Check Case

Yes

Checksum

Yes

Configure Read Binary

Yes

Optional

Configure Security Checks

Yes

Optional

Control Auto Reset WWT

Yes

Convert BCDN

Yes

Optional

Delegate

Yes

DES ECB Decipher

Yes

DES ECB Encipher

Yes

DivideN

Yes

ECC Addition

No

Optional

ECC Convert Representation

No

Optional

ECC Equality Test

No

Optional

ECC Inverse

No

Optional

ECC Scalar Multiplication

No

Optional

ECC Verify Point

Yes

Optional

Exchange Data

Yes

Optional

Exit to MULTOS and Restart

Yes

Optional

Generate Asymmetric Hash General

Yes

Generate Asymmetric Signature General

No

Optional

Generate DES CBC Signature

Yes

Generate Random Prime

Yes

Optional

Generate Triple DES CBC Signature

Yes

Get Data

Yes

Get Delegator AID

Yes

Get DIR File Record

Yes

Get File Control Information

Yes

Get Manufacturer Data

Yes

Get Memory Reliability

Yes

Get MULTOS Data

Yes

Get Purse Type

Yes

Get Random Number

Yes

Get Static Size

Yes

Optional

Load CCR

Yes

Lookup

Yes

Memory Compare

Yes

Memory Compare Fixed Length

Yes

Memory Copy

Yes

Memory Copy Additional Static

Yes

Optional

Memory Copy Fixed Length

Yes

Modular Exponentiation

Yes

Modular Exponentiation CRT

Yes

Modular Exponentiation CRT Protected

Yes

Optional

Memory Fill Additional Static

Yes

Optional

Modular Inverse

No

Optional

Modular Multiplication

Yes

Optional

Modular Reduction

Yes

Optional

MultiplyN

Yes

Platform Optimized Checksum

Yes

Optional

Process Proprietary Extension Primitives (0-6)

Yes

Extension used is 2

Query Channel

Yes

Optional

Query Codelet

Yes

Query Interface Type

Yes

Query0, Query1, Query2, Query3

Yes

Reset Session Data

Yes

Reset WWT

Yes

Return from Codelet

Yes

Secure Hash

No

Optional

SEED ECB Decipher

Yes

Optional

SEED ECB Encipher

Yes

Optional

Set AFI

Yes

Optional

Set ATR File Record

Yes

Set ATR Historical Characters

Yes

Set ATS Historical Characters

Yes

Optional

Set FCI Record

Yes

Set Select SW

Yes

Set Transaction Protection

Yes

SHA-1

Yes

Shift Left

Yes

Shift Right

Yes

Store CCR

Yes

`

Subtract BCDN

Yes

Optional

Triple DES Decipher

Yes

Optional

Triple DES Encipher

Yes

Optional

Verify Asymmetric And Retrieve General

No

Optional

Implementation Specific Characteristics

Zero Block Size

The following instructions and primitives have the block size specified in the code (as opposed to being run-time data). The following table shows how each will perform if a zero block size is specified. Applies to all masks.

Type

Instruction / Primitive

Operation

Instruction

LOAD, STORE, LOADI, STOREI

no operation

CLEARN

no operation

TESTN, INCN, DECN, NOTN

Z = 1

CMPN, ADDN, SUBN

C = 0, Z = 1

ANDN, ORN, XORN

Z = 1

Primitive

MultiplyN

Z = 1

DivideN

C = 1, Z = unchanged

ShiftLeft, ShiftRight

C = 0, Z = 1

GetDIRFileRecord
GetFileControlInformation

One byte set to zero pushed onto stack,

If the application specified does not exist, C = 1, Z = 1

If the application specified exists, C = 0, Z = 0

GetManufacturerData
GetMULTOSData
GetPurseType

One byte set to zero pushed onto stack, C = 0

Undefined: implementation specific handling

Undefined: implementation specific handling

MemoryCompareFixedLength

DT’ = DT - 4, C = 0, Z = 1

MemoryCopyFixedLength

DT’ = DT – 4

AddBCDN / SubBCDN

Max operand length = 6 bytes

Maximum Number of Pages Permitted in a Single Write

The maximum number of pages is at least nine when transaction protection is used. It is possible to write more than nine pages if there is free EEPROM. Note that if an attempt is made to write more than 9 pages and if there is insufficient free EEPROM, then an abnormal end to processing to will occur.

Condition Code Register

This implementation does support signed arithmetic. The N and V flags are present in the CCR, and they may be changed by some instructions. However, signed arithmetic is not guaranteed and should be avoided. They may be used by an application using the Load CCR and Store CCR primitives, but this may affect the portability of the application.

Supported Modulus Lengths of Cryptographic Primitives

All values given are in bytes.

Primitive

Lengths supported

Modular Exponentiation, public exponent not 3

Greater than 0, but less than or equal to 256 bytes

Modular Exponentiation, public exponent of 3

Greater than 0, but less than or equal to 256 bytes

Modular Exponentiation CRT

Between 2 and 256 bytes inclusive

Modular Multiplication

Greater than 0, but less than or equal to 256 bytes

Modular Reduction

Greater than 0, but less than or equal to 256 bytes

Generate Random Prime

Prime must be > 5 bytes and less than or equal to 128 bytes

RSA key pair Generation

Modulus size must be less than or equal to 256 bytes

ECC key gen, verify point, signature generate, signature verify

Up to 384bits

AES ECB Encipher / Decipher

128, 192, 256 bytes

Confidential Application

A confidential application > 64k which requires area at an offset beyond 64K into the ALU needs to be encrypted then the area must start at an offset < 64K and area length can be increased to cover the required areas. This restriction is due the area start item in the KTU area descriptors is specified to be a word value by the MULTOS specification.

Important Remarks

This section contains important remarks about the Primitives and IFD commands of this implementation. Applies to all masks.

Functionality

Operation

Automated sending of Work Wait Time extension

The chip returns WWT extension request bytes when 75% of the WWT has expired.

Bit Manipulate Byte

Bit Manipulate Word

Bits 6 to 2 of b2 are ignored. That is, the primitives return the expected result regardless of the value of bits 6 to 2 of b2.

Checksum

If the checksummed area includes the parameters (the top four bytes of Dynamic), the checksum will be correctly calculated.

Default Application

This version 4.2.1 functionality is supported

DivideN

The length of each operand must not be greater than 128 bytes

Exchange Data

This primitive only support MIFARE channel (channel number of 1). Access to channels other than 1 will cause abend.

Return MIFARE status code :

00H - Operation completed without errors

01H - invalid operation

02H - invalid block number

43H - Password check failed

60H - Programming error

63H - Wrong Block Index

D0H – MIFARE Disabled

FFH - access prohibited (The accessed MIFARE sector is disabled)

Generate Asymmetric Hash General

If b2 (mode) takes an unsupported value, this primitive performs no operation. In particular, no bytes are popped from the stack.

This primitive supports a hash modulus length of 72 bytes in conjunction with a 16-byte hash digest or a 128-byte modulus with a hash chain length of 20 bytes.

Generate Random Prime

To avoid abend:

Timeout must be 0

RgMax must be greater than RgMin

Prime length must be greater than 5 and less than or equal to 128 bytes

If the destination is stack top, the last byte of retrieved data will be overwritten by the length of data retrieved. That is, the number of bytes copied is always returned on the stack regardless of the destination segment address.

Get Memory Reliability

MULTOS 4 always indicates memory is reliable: C = 0, Z = 0.

Lookup

If the target value appears more than once in the list, the location of the first is reported. The list need not be sorted. If the target value is not found, it is left unchanged on the stack.

Modular Exponentiation

The least significant bit of the modulus must be 1.

The exponent length and value must be greater than 0.

The modulus length must be greater than 0 and less than or equal to 256 bytes.

The modulus must not contain any full byte zeros at the most significant end.

Modulus Length must be >= Exponent Length

If Modulus Length is > 128 bytes then Exponent Length must not be > 4 bytes

If any of the conditions above are not met, an abnormal end will occur.

Modular Exponentiation CRT

The modulus length must be greater than 0, but not greater than 256 bytes. The length must also be an even number.

The length of each item must be modulus length divided by 2.

The most significant byte of primes p and q must not be 0.

The least significant bits of the primes p and q must be 1.

X (in calculation Y=XdmodN) must not be equal to 0.

If any of these conditions are not met, an abnormal end to processing will occur.

X (in calculation Y=XdmodN) must not be equal to 1.

If the above condition is not met, undefined results will occur.

Modular Multiplication

The modulus length must be greater than 0 and less than or equal to 256 bytes. Note this length does not include any leading zero bytes.

Modular Reduction

The modulus length must be greater than 0 and less than or equal to 256 bytes.

In addition to the conditions of Modular Exponentiation CRT primitive, Modular Exponentiation CRT Protected primitive also has the following conditions:

When the keys are encrypted or decrypted, it is required that the keys are stored with dpdq and pqu in contiguous memory.

Max operand length = 6 bytes.

Includes AES, DES, Triple DES and SEED.

Includes AES, DES, Triple DES and SEED.

Includes SHA-1 and SHA-256.

Checksum primitive

When running in T = CL ResetWWT primitive must be called before calling Checksum primitive. If the checksum is to be done over large blocks, then the block must be broken into blocks of maximum length 0x7500, with each call preceded by a call to ResetWWT.